Creating notifications in the Symantec Endpoint Protection Manager

Article:TECH91622  |  Created: 2009-01-05  |  Updated: 2009-01-19  |  Article URL http://www.symantec.com/docs/TECH91622
Article Type
Technical Solution


Environment

Issue



How to set up notifications in the Symantec Endpoint Protection Manager.


Solution



Notifications are messages about security events that have taken place in an Endpoint Protection
    environment. Notifications can be configured to alert both clients and network administrators using the following methods:
    • Send an email.
    • Run a batch file or another executable file.
    • Log an entry in the notifications log in the Endpoint Protection Manager database.

    See “Creating administrator notifications” on page 211 of the Administration_Guide.PDF


    Viewing and filtering administrator notification information


    You can view the information from the notifications log in the same way that you view the
    information that is contained in other logs. You can filter the notifications log to view
    information about a single type of notification event at a time. You can filter your view
    of notifications and save the filters for future use.


    Using notifications

    You can filter notifications in the log based on the following criteria:
    • Time range
    • Acknowledgment status
    • Type
    • Creator
    • Name


    To view all notifications
    1. In the management console, click Monitors.
    2. On the Notifications tab, click View Notifications. The list of all types of notifications appears.


    To filter your view of notifications
    1. In the management console, click Monitors.
    2. On the Notifications tab, under What filter settings would you like to use,click Advanced Settings.
    3. Set any option you want to filter on.You can filter on any combination of the time range, the acknowledgment status, the notification type, the creator, or a specific notification name.
    4. Click View Notifications.

    A list of the type of notifications that you selected appears. Some notification types
    contain default values when you configure them.


    Threshold guidelines for administrator notifications

    NOTE: These guidelines provide reasonable starting points depending on the size of your
    environment, but they may need to be adjusted. Trial and error may be required to find
    the right balance between too many and too few notifications for your environment. Set the
    threshold to an initial limit, then wait for a few days. See if you receive notifications too
    infrequently or if notifications inundate you or your network.

    For virus, security risk, and firewall event detection, suppose that you have fewer than 100 computers
    in a network. A reasonable starting point in this network is to configure a notification when two risk events
    are detected within one minute. If you have 100 to 1000 computers, detecting five risk events within one
    minute may be a more useful starting point.


    Creating administrator notifications

    You can create and configure notifications to be triggered when certain security-related
    events occur.You can configure the software to take the following notification actions:
    • Log the notification to the database.
    • Send an email to individuals.
      Note: To send notifications by email, you must also configure a mail server. To configure

      a mail server, click the Admin > Servers page, select a server, click Edit Server Properties,
      and then click the Mail Server tab.
    • Run a batch file or other kind of executable file.

    The default damper period for notifications is Auto (automatic). If a notification is triggered
    and the trigger condition continues to exist, the notification action that you configured is not
    performed again for 60 minutes. For example, suppose you set a notification so that you are
    emailed when a virus infects five computers within one hour. If a virus continues to infect your
    computers at or above this rate, Symantec Endpoint Protection emails you every hour. The
    emails continue until the rate slows to fewer than five computers per hour.

    You can configure the software to notify you when a number of different types of
    events occur.

    Using the Notification Conditions settings, you can configure a client security alert by
    occurrences on any computer, a single computer, or on distinct computers. You can also
    configure these options for a risk outbreak.

    To create an administrative notification:
    1. In the management console, click Monitors.
    2. On the Notifications tab, click Notification Conditions.
    3. Click Add, and then select the type of notification that you want to add from the list that appears.
    4. In the new window that appears, in the Notification name text box, type a descriptive name.
    5. Specify the filter options that you want. For example, for some types of notifications, you can limit the notification to specific domains, groups, servers, computers, risks, or applications.
    6. Specify the notification settings and the actions that you want to occur when this notification is triggered. You can click Help to see descriptions of the possible options for all types of notifications.
    7. Click OK.


    Sending mail as a result of a notification.

    If you select Send email to as the action to take, the email notification depends on the mail
    server's user name option. The user name that is configured for the mail server from the Server
    Properties dialog must be a fully qualified domain name (FQDN) in the form user@domain.
    If this field is left blank, the notifications are sent from SYSTEM@computername. If the
    reporting server has a name that uses Double Byte Character Set (DBCS) characters, you
    must specify the user name field with an email account name of the form user@domain.
    To check this setting, follow the instructions Below.
    1. Log in to the SEPM
    2. From the Admin tab click > Servers > Server name > Edit server properties > Mail server tab
    3. Input the name as "User@domain-name.com"(As an example.). The name used has to be a valid user name that belongs to the domain.


    NOTE: The Symantec Endpoint Protection Manager cannot send email notifications to a SMTP
    server configured to require Secure Password Authentication. You will need to configure SEPM
    to use another mail server that does not require SPA or disable the requirement of SPA from
    your current email server.

    To test whether the server requires Secure Password Authentication:

    Configure another email client program, such as Outlook or Outlook Express to send POP3/SMTP
    Email using the same SMTP Server. If you are only able to send Email through that SMTP Server
    when the option "Log on using Secure Password Authentication" (or similar) is checked this indicates
    that SPA is required.


    Running a batch or executable file as the result of a notification.

    If you select Run the batch or executable file as the action to take, type in
    the name of the file. Path names are not allowed. The batch file or executable
    file to run must be located in the following directory:

    drive:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin

    For this process to function properly, it is required to allow the
    "Symantec Endpoint Protection Manager" (SEPM) service to interact with desktop.

    To allow the SEPM service to interact with the desktop:
    1. Use an administrative Login to access the machine which has SEPM installed.
    2. Click Start > Run, and type services.msc, then click OK.
    3. Find the "Symantec Endpoint Protection Manager" service, right click and select "Properties".
    4. Select the "Log On" Tab.
    5. Under "Local System Account" check the box to "Allow service to interact with desktop".
    6. Click OK.
    7. Restart the Machine.



    Network Threat Protection Email Notifications

    You may want to create a Network Threat Protection notification that is triggered when a traffic
    event matches the criteria that are set for a firewall rule.

    To create this type of notification, you must perform the following tasks:
    • In the Firewall Policy Rules list, check the Send Email Alert option in the Logging column of the rules you want to be notified about.
    • On the Notifications tab, configure a Client security alert for Network Threat Protection, Packet, or Traffic events.
    • Run a batch file or other kind of executable file.

    Note: To send notifications by email, you must also configure a mail server. To configure a mail
    server, click the Admin > Servers page, select a server, click Edit Server Properties, and then
    click the Mail Server tab.

    See “Configuring notifications for Network Threat Protection” below, or on page 483 of the
    Administration_Guide.PDF

    For a description of each configurable option, you can click Tell me more on the
    Symantec Endpoint Protection Manager Console.Tell me more displays context-sensitive Help .

    Note: You can filter your view of the Notification Conditions you have created by using the Show
    notification types list box. To be sure that the new notifications that you create are displayed, make
    sure that All is selected in this list box.


    To Create a Network Threat Protection administrative notification:
    1. In the management console, click Monitors.
    2. On the Notifications tab, click Notification Conditions.
    3. Click Add and select Client security alert.
    4. Type in a name for this notification.
    5. If you want to limit this notification to specific domains, groups, servers, or computers, specify the filter options that you want.
    6. To further filter when the notification is sent select one of the following outbreak types:
      • Occurrences on distinct computers
      • Occurrences on any computer
      • Occurrences on single computer
    7. To specify the type of Network Threat Protection activity, check one of the following check boxes:
      • For the attacks and events that the firewall detects or the Intrusion Prevention signatures detect, check Network Threat Protection events
      • For the firewall rules that are triggered and recorded in the Packet Log, check Packet events
      • For the firewall rules that are triggered and recorded in the Traffic Log, check Traffic events
    8. If desired, change the default notification conditions to set the number of occurrences within the number of minutes that you want to trigger this notification.
    9. Check Send email to, and then type in the email addresses of the people that you want to notify when these criteria are met.
    10. Click OK.

    The Send Email Alert option in the Logging column of the Firewall Policy Rules list is now operational.
    When this notification is triggered, email is sent.

    See “Configuring email messages for traffic events” on page 485 of the Administration_Guide.PDF.

    For a description of each configurable option, you can click Tell me more on the
    Symantec Endpoint Protection Manager Console. Tell me more displays the context-sensitive Help.

    Note: You can filter your view of the Notification Conditions you have created by using the
    Show notification types list box. To be sure that the new notifications that you create are
    displayed, make sure that All is selected in this list box.


    Network Threat Protection notifications:

    By default, notifications appear on client computers when the client detects various Network
    Threat Protection events. You can configure some of these notifications. Enabled notifications
    display a standard message to which you can add customized text.

    To configure firewall notifications:
    1. In the console, open a Firewall Policy. See “Editing a policy” in the Administration_Guide.PDF on page 336.
    2. On the Firewall Policy page, click Rules.
    3. On the Notifications tab, check Display notification on the computer when the client blocks an application.
    4. To add customized text to the standard message that appears when a rule's action is set to Ask, check Additional text to display if the action for a firewall rule is 'Ask'.
    5. For either notification, click Set Additional Text.
    6. In the Enter Additional Text dialog box, type the additional text you want the notification to display, and then click OK.
    7. When you are done with the configuration of this policy, click OK.


    To configure intrusion prevention notifications:
    1. In the console, click Clients and under View Clients, select a group.
    2. On the Policies tab, under Location-specific Policies and Settings, under a location, expand Location-specific Settings.
    3. To the right of Client User Interface Control Settings, click Tasks , and then click Edit Settings.
    4. In the Client User Interface Control Settings for group name dialog box, click either Mixed control or Server control.
    5. Beside Mixed control or Server control, click Customize. If you click Mixed control, on the Client/Server Control Settings tab, beside Show/Hide Intrusion Prevention notifications, click Server. Then click the Client User Interface Settings tab.
    6. In the Client User Interface Settings dialog box or tab, click Display Intrusion Prevention notifications.
    7. To enable a beep when the notification appears, click Use sound when notifying users.
    8. In the Number of seconds to display notifications text field, type the number of seconds that you want the notification to appear.
    9. To add text to the standard notification that appears, click Additional Text.
    10. In the Additional Text dialog box, type the additional text you want the notification to display, and then click OK.
    11. Click OK, then click OK again to complete configuration.


    Configuring email messages for traffic events:

    You can configure the Symantec Endpoint Protection Manager to send an email message to
    you each time the firewall detects a rule violation, attack, or event. For example, you may want
    to know when a client blocks the traffic that comes from a particular IP address.To configure
    email messages for traffic events.
    1. In the console, open a Firewall Policy. See “Editing a policy” in the Administration_Guide.PDF on page 336.
    2. On the Firewall Policy page, click Rules.
    3. On the Rules tab, select a rule, right-click the Logging field, and do the following actions:
      • To send an email message when a firewall rule is triggered, check Send Email Alert
      • To generate a log event when a firewall rule is triggered, check both Write to Traffic Log and Write to Packet Log
    4. When you are done with the configuration of this policy, click OK.

    To configure a security alert. See “Creating administrator notifications” in the Administration_Guide.PDF on page 211.
    To configure a mail server. See “Establishing communication between Symantec Endpoint Protection Manager and email servers” in the Administration_Guide.PDF on page 259.


    About editing existing notifications

    If you edit the settings of an existing notification, the previous entries that it generated
    display messages in the notifications log based on your new settings. If you want to
    retain your past notification messages in the notifications log view, do not edit the
    settings of an existing notification. Instead, create a new notification with a new name.
    Then, disable the existing notification by unchecking the actions that were configured
    under What should happen when this notification is triggered.


References
See “Configuring email messages for traffic events” on page 485 of the Administration_Guide.PDF located on CD1 in the Documentation folder.





Legacy ID



2009010512081748


Article URL http://www.symantec.com/docs/TECH91622


Terms of use for this information are found in Legal Notices